Encrypting SOAP message

My Blackbox version is 9.0.203. With your help I was able to solve XML signing some years back. Now I am trying to Encrypt a SOAP message, and I am having difficulties to understand all the nested and complicated BlackBox classes.
Below is working sample and sample that I can produce with BBX.

Compared to original sample my output seems to have at least these differences:

1) There is no 'xenc:' prefix. This kind of crypting related constant can be found in BBX sources. I wonder if that prefix necessary for crypting purposes, and how can I add these prefixes?

2) The <EncryptedData> lines are different. My BBX adds two extra namespaces. How can I alter this behaviour?

3) If I fill in the <EncryptedKey> value before calling TElXMLEncryptor.Encrypt, then the <EncryptedKey> value will not stay in crypted output. I can add this XML Node it afterwards by calling:
TElXMLEncryptor.EncryptedData.EncryptedKey.Recipient := 'name:AbcBankCryptCERT',
but this probably is not the designed way how to call and use this.

4) I do not find the way how to keep <ds:RSAKeyValue> not appearing to the crypted output.
If I try to set the TElXMLEncryptor.EncryptKey := False, then application halts.

This same behaviour is also in Simple Signer Sample. In Simple Signer if I turn that same value to False, also it will raise exception.

---
I saw you have published some new SOAP related 12.x versions too. I wonder if they would be for any help with this matter?

3) If I fill in the <EncryptedKey> value before calling TElXMLEncryptor.Encrypt, then the <EncryptedKey> value will not stay in crypted output. I can add this XML Node it afterwards by calling:
TElXMLEncryptor.EncryptedData.EncryptedKey.Recipient := 'name:AbcBankCryptCERT',
but this probably is not the designed way how to call and use this.

It is right place. The Encrypt method encrypts data and generates EncryptedData structure that you can modify prior saving to xml.

Quote

4) I do not find the way how to keep <ds:RSAKeyValue> not appearing to the crypted output.
If I try to set the TElXMLEncryptor.EncryptKey := False, then application halts.

If you set EncryptKey property to false, then a component expect a symmetric key, and the component should raise an exception if you would set not TElXMLKeyInfoSymmetricData object to KeyData property.
If you don't want to include RSAKeyValue element just disable TElXMLKeyInfoX509Data.IncludeKeyValue property for a KeyEncryptionKeyData key.

Quote

I saw you have published some new SOAP related 12.x versions too. I wonder if they would be for any help with this matter?

I'll pass here snippet about the code how I create that output. The TElX509Certificate component probably would not be needed at all. But I have never got this style from BBX Samples to load the Public Key:

You can't remove a namespace declaration that is being used if it is not defined in the parent elements. The prefix itself doesn't hold enough information to identify element. Shortly speaking, the local name (name without a prefix) and namespace URI is the main info of the element and the prefix is a secondary info (for usability).

Thanks for your response. I have a crypted XML-sample that returns some response from Bank. My SOAP XML does not get any reponse. I am trying to make sure my BBX created XML would be as identical as possible. Now BBX already creates almost identical output.

As you can see BBX puts that 'xmlns:ds="http://www.w3.org/2000/09/xmldsig#"' namespace differently than the working code. I have not found property or setting that would make it to appear in <dsig:KeyInfo>.

My simple idea was to move it inside XML to the wanted location. So take it out where it is now, and re-create it in <dsig:KeyInfo> node. Bank really gives response only with the original sample, not with my sample.

I am not sure if that namespace location has anything to do it. The reason may be somewhere inside my the crypted SOAP nodes anyway.

As you can see BBX puts that 'xmlns:ds="http://www.w3.org/2000/09/xmldsig#"' namespace differently than the working code. I have not found property or setting that would make it to appear in <dsig:KeyInfo>.

My simple idea was to move it inside XML to the wanted location. So take it out where it is now, and re-create it in <dsig:KeyInfo> node. Bank really gives response only with the original sample, not with my sample.

To change "ds" prefix you can use SignaturePrefix property, it is similar to EncryptionPrefix property, for example:

Thanks, that "namespace declaration for KeyInfo element would be created automatically" was just the magic I was missing. I immediately got the SOAP nodes to look like those in the original sample.

Yet it took this far to find what was causing my SOAP:s still rejected by bank, not a single line as response. After checking and testing several, several times all the possible SOAP lines, key lengths etc. through I finally found what was the difference.

For long time I thought it was the missing BBX <CR>s. Or some other invisible magic after that kept my identical SOAP messages rejected by bank. Finally I found it was the invisible BOM in the beginning. Bank did not accept that and stayed completely silent.

I knew the existence of BOM in general. This new SOAP encrypting operation just brought it there so silently. Took days and I could not realize it, as there were tens of other lines and things to suspect.
But thanks, now it looks much better already.